It's Microsoft Patch Tuesday: September 2013

Tony Bradley gathers the information you need to make the right deploy decision when applying Microsoft's September 2013 patches in your organization.

Fall doesn't technically start for a couple weeks, but the
kids are back in school, the NFL season has kicked off, and the Pumpkin Spice
Latte is back at your neighborhood Starbucks. Microsoft is 'celebrating' fall
with an avalanche of security bulletins for the September 2013 Patch Tuesday.

Apparently Microsoft encountered some issues between last
week and today, because it had projected 14 security bulletins for today, but
only 13 were released. There are four updates rated as Critical, with the other
nine all ranked as Important by Microsoft. The security bulletins impact a wide
range of products and services, including Windows, Microsoft Office,
SharePoint, and what seems to now be the monthly update for Internet Explorer.

For SharePoint, an attacker could abuse the ViewState
mechanism on two specific web pages and gain control over the server. By
default, the pages require authentication, which limits the attack vector. If
you have reconfigured authentication, this bulletin should be high on your
list. Note that the bulletin contains work-around steps that you can configure
immediately even if you cannot apply the patch right away.

MS13-067 addresses ten vulnerabilities in SharePoint server,
and affects SharePoint 2003, 2007, 2010, and 2013, along with Office Web Apps
2010. The patch addresses multiple elevations of privilege vulnerabilities that
could allow an attacker to execute code in the context of another SharePoint
user. In certain situations where the default authentication mechanism has been
changed, an attacker may be able to take control of the server. Safeguarding
sensitive data is critical, so make sure to get this patch rolled out as soon
as possible.

MS13-068 fixes a critical privately reported vulnerability
in Outlook, which an attacker could use to execute arbitrary code in the
context of the current user. It affects both Outlook 2007 and 2010. Attackers
can exploit this without specific user interaction by crafting malicious S/MIME
messages and sending them to target users. When the malicious message is
opened, the exploit is triggered, and the vulnerable system is compromised - enabling
the attacker to run code in the context of the user. The attack vector makes it
urgent to apply this patch as soon as possible

MS13-069 is the latest cumulative security update for the
Internet Explorer Web browser. The update applies to all supported versions of
Internet Explorer, but none of the underlying flaws affects all versions of the
browser. This patch should be deployed as quickly as possible, though, because
any of these vulnerabilities can be used in drive-by exploits allowing the
attacker to execute code in the context of the current user.

This update fixes a privately reported bug in the Windows
operating system that could allow an attacker to execute remote code. If a user
opens a file containing a specially crafted malicious OLE object, the system
will be compromised, and the attacker will be able to execute code with the
same rights as the user. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with
administrative user rights.

Some users love to download and apply cool themes to
customize the look and feel of Windows. The vulnerability addressed by this
patch can be exploited through a specially crafted malicious Windows theme. One
mitigating factor is that the user must download and apply the malicious theme
in order for the attack to work, so educating users against using suspicious or
shady themes is advised as well.

This
update resolves a smorgasbord of privately reported vulnerabilities in
Microsoft Office - 13 in all. The more severe vulnerabilities can be exploited
through a specially crafted file being opened in an affected version of
Microsoft Office. The attacker may be able to execute remote code in the
context of the user. As with other similar issues, one way to mitigate the
threat is to limit user privileges and not allowing users to log in with
administrative privileges.

This update is similar in scope and impact to MS13-072, but
more specific to Microsoft Excel. It resolves three privately reported
vulnerabilities which could allow remote code execution in the context of the
user if successfully exploited. Again, limiting user privileges on the system
can minimize the threat or impact of these flaws.

This security update resolves three privately reported
vulnerabilities in Microsoft Office - specifically Microsoft Access. As with
MS13-072 and MS13-073, a specially crafted malicious Microsoft Access file
could be used to exploit the flaws. A successful attack could allow the
attacker to execute code with the same rights and privileges as the currently
logged in user.

This update only impacts Microsoft Office IME - a Chinese
version of the productivity suite. If an attacker launches Internet Explorer
from the toolbar in Microsoft Pinyin IME for Simplified Chinese, they may be
able to run arbitrary code in kernel mode. A successful exploit could enable an
attacker to install malicious software, and add or remove user accounts with
administrative privileges. Only implementations of Microsoft Pinyin IME 2010
are affected by this vulnerability. Other versions of Simplified Chinese IME
and other implementations of IME are not affected.

This update resolves seven privately reported
vulnerabilities in Microsoft Windows. The potential threat is minimal because
an attacker must have valid logon credentials, and be logged on locally to
exploit these vulnerabilities. A successful exploit could allow the attacker to
elevate their privileges on the compromised system.

*

MS13-077 / KB2872339 –
Vulnerability in Windows Service Control Manager Could Allow Elevation of
Privilege

This update fixes one privately reported flaw in Microsoft
Windows. The threat is minimal because the attacker must either have valid
logon credentials and be logged on locally to the vulnerable system, or trick a
user into running a specially crafted application that triggers the exploit. If
an attack is successful, the attacker could gain elevated privileges on the
compromised system.

Companies using Microsoft FrontPage could be at risk of
information disclosure as a result of this privately reported vulnerability. The
exploit cannot be triggered automatically, but if a user is tricked into
opening a specially crafted FrontPage document, the attacker may be able to
access restricted or sensitive information.

By Tony Bradley

Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He...

Full Bio

Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He has authored or co-authored a number of books, including Unified Communications for Dummies, Essential Computer Security, and PCI Compliance.